HostedDB - Dedicated UNIX Servers
index_75
UNCLASSIFIED Implementing Security on Cisco Routers  Version 1.0g  UNCLASSIFIED 75   East(config)# access-list 105 permit host 14.2.6.1 any eq 23 log East(config)# access-list 105 permit tcp host 14.2.6.18 any eq 23 log East(config)# access-list 105 deny  ip  any any log East(config)# line vty 0 4 East(config-line)# access-class 105 in East(config-line)# end SNMP Service A Cisco router can be configured to act as a client for SNMP.  Whe n SNMP service is enabled on a router, network management tools can use it to gather information about the router configuration, route table, traffic load, and more.  Versions 1 and 2 of SNMP are not considered very secure due to the lack of strong authentication.   Thus, SNMP be used only on the internal or protected network.  The following example shows the configuration of a standard IP access list that is applied to a snmp server.  This access list allows the host with IP address 14.2.6.6 to gather SNMP information from the router.  The list denies all other connections. East(config)# access-list 75 permit host 14.2.6.6 East(config)# snmp-server community n3t-manag3m3nt ro 75 For more information about SNMP configuration, see Sections 4.2.2 and 4.5.3. OSPF Service Communications between routers for routing table updates involve routing protocols.   These updates provide directions to a router on which way traffic should be routed.   You can use access lists to restrict what routes the router will accept (in) or advertise (out) via routing protocols.  The following example shows the configuration of an extended IP access list applied to the OSPF routing protocol, area 1.  With the access list applied, router North will not advertise routes to the 14.2.9.0 network. North(config)# access-list 10 deny    14.2.9.0 0.0.0.255 any North(config)# access-list 10 permit   any North(config)# router ospf 1 North(config-router)# distribute-list 10 out North(config-router)# end   For more information about OSPF security configuration, see Section 4.4. 4.3.3.    Filtering Traffic through the Router The following examples illustrate methods to protect the router or the internal network from attacks.  Note: these separate examples should not be combined into one access list because the result would contain contradictions.  In the next section an example configuration file is presented that shows one way to combine these methods into access lists.  Refer to the network diagram in Figure 4-1 to understand the example interfaces, their IP addresses and the corresponding access lists.